public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
From: "Yao, Jiewen" <jiewen.yao@intel.com>
To: devel@edk2.groups.io
Subject: [PATCH V3 0/6] Add Device Security driver
Date: Thu,  7 Nov 2019 21:38:25 +0800	[thread overview]
Message-ID: <20191107133831.22412-1-jiewen.yao@intel.com> (raw)

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2303

=============== V3 ===============

The V3 version addresses the feedback below:

Liming Gao:
1. Add SPDM spec version and align to latest one 0.99a.

Rangasai Chaganty:
1. put a reference to the spec at the file header, for Intel PCI security spec.
2. add some high level description above the structure definition that
   describes the structure.
3. on the services "GetDevicePolicy" and "SetDeviceState", Add more error
   return states

Ray Ni:
1. add comments to each field of structures like EDKII_DEVICE_SECURITY_POLICY
   and EDKII_DEVICE_SECURITY_STATE.
2. add comments to all the macros defined in this patch to explain the meaning
   and more important how they are going to impact the logic.
3. make the macro short
    EDKII_DEVICE_MEASUREMENT_POLICY_REQUIRED -> EDKII_DEVICE_MEASUREMENT_REQUIRED
    EDKII_DEVICE_AUTHENTICATION_POLICY_REQUIRED -> EDKII_DEVICE_AUTHENTICATION_REQUIRED
4. rename the SetDeviceState to NotifyDeviceState.
5. add comments to explain clearly what SetDeviceState() needs to do.
6. change the prototype so that caller needs to pass in a policy structure and
   GetDevicePolicy() fills the structure buffer using CopyMem.
7. add the version macro for EDKII_DEVICE_SECURITY_POLICY_PROTOCOL.Version,
   securitypolicy.version and securitystate.version.
8. add clear debug information for DvSec capability header.

=============== V2 ===============

This patch series add support for device security based
upon the DMTF SPDM specification.
https://www.dmtf.org/sites/default/files/standards/documents/DSP0274_0.95a.zip

We did design review at 18 Oct, 2019.
https://edk2.groups.io/g/devel/files/Designs/2019/1018
And the feedback from the meeting is addressed.
https://edk2.groups.io/g/devel/files/Designs/2019/1018/EDKII-Device%20Firmware%20Security%20v2.pdf

The Device security protocol is added in EDKII repo.
Here we add the producer what follows Intel PCI security spec
to do the device firmware measurement.
https://www.intel.com/content/www/us/en/io/pci-express/pcie-device-security-enhancements-spec.html

The EDKII repo update is at https://github.com/jyao1/edk2/tree/DeviceSecurityMasterV2
The EDKII platform repo update is at https://github.com/jyao1/edk2-platforms/tree/DeviceSecurityMasterV2

The validation has been done on a Intel internal platform.
The device measurement can be shown in TCG event log.

signed-off-by: Jiewen Yao <jiewen.yao@intel.com>

Jiewen Yao (6):
  IntelSiliconPkg/Include: Add Intel PciSecurity definition.
  IntelSiliconPkg/Include: Add Platform Device Security Policy protocol
  IntelSiliconPkg/dec: Add ProtocolGuid definition.
  IntelSiliconPkg/IntelPciDeviceSecurityDxe: Add PciSecurity.
  IntelSiliconPkg/SamplePlatformDevicePolicyDxe: Add sample policy.
  IntelSiliconPkg/dsc: Add Device Security component.

 .../IntelPciDeviceSecurityDxe.c               | 697 ++++++++++++++++++
 .../IntelPciDeviceSecurityDxe.inf             |  45 ++
 .../TcgDeviceEvent.h                          | 178 +++++
 .../SamplePlatformDevicePolicyDxe.c           | 204 +++++
 .../SamplePlatformDevicePolicyDxe.inf         |  40 +
 .../IndustryStandard/IntelPciSecurity.h       |  92 +++
 .../Protocol/PlatformDeviceSecurityPolicy.h   | 128 ++++
 .../Intel/IntelSiliconPkg/IntelSiliconPkg.dec |   4 +
 .../Intel/IntelSiliconPkg/IntelSiliconPkg.dsc |   3 +
 9 files changed, 1391 insertions(+)
 create mode 100644 Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/IntelPciDeviceSecurityDxe/IntelPciDeviceSecurityDxe.c
 create mode 100644 Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/IntelPciDeviceSecurityDxe/IntelPciDeviceSecurityDxe.inf
 create mode 100644 Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/IntelPciDeviceSecurityDxe/TcgDeviceEvent.h
 create mode 100644 Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/SamplePlatformDevicePolicyDxe/SamplePlatformDevicePolicyDxe.c
 create mode 100644 Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/SamplePlatformDevicePolicyDxe/SamplePlatformDevicePolicyDxe.inf
 create mode 100644 Silicon/Intel/IntelSiliconPkg/Include/IndustryStandard/IntelPciSecurity.h
 create mode 100644 Silicon/Intel/IntelSiliconPkg/Include/Protocol/PlatformDeviceSecurityPolicy.h

-- 
2.19.2.windows.1


             reply	other threads:[~2019-11-07 13:38 UTC|newest]

Thread overview: 21+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-11-07 13:38 Yao, Jiewen [this message]
2019-11-07 13:38 ` [PATCH V3 1/6] IntelSiliconPkg/Include: Add Intel PciSecurity definition Yao, Jiewen
2019-11-08  6:58   ` Ni, Ray
2019-11-07 13:38 ` [PATCH V3 2/6] IntelSiliconPkg/Include: Add Platform Device Security Policy protocol Yao, Jiewen
2019-11-08  6:59   ` Ni, Ray
2019-11-08  7:01     ` Yao, Jiewen
2019-11-08  7:10       ` Ni, Ray
2019-11-09  7:12         ` Yao, Jiewen
2019-11-07 13:38 ` [PATCH V3 3/6] IntelSiliconPkg/dec: Add ProtocolGuid definition Yao, Jiewen
2019-11-08  7:01   ` Ni, Ray
2019-11-07 13:38 ` [PATCH V3 4/6] IntelSiliconPkg/IntelPciDeviceSecurityDxe: Add PciSecurity Yao, Jiewen
2019-11-11  8:19   ` Ni, Ray
2019-11-11 10:16     ` Yao, Jiewen
2019-11-11 14:40       ` Ni, Ray
2019-11-07 13:38 ` [PATCH V3 5/6] IntelSiliconPkg/SamplePlatformDevicePolicyDxe: Add sample policy Yao, Jiewen
2019-11-11  8:23   ` Ni, Ray
2019-11-07 13:38 ` [PATCH V3 6/6] IntelSiliconPkg/dsc: Add Device Security component Yao, Jiewen
2019-11-11  8:23   ` Ni, Ray
2019-11-08  4:23 ` [edk2-devel] [PATCH V3 0/6] Add Device Security driver Javeed, Ashraf
2019-11-08  5:14   ` Yao, Jiewen
2019-11-08 10:25     ` Javeed, Ashraf

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20191107133831.22412-1-jiewen.yao@intel.com \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox